The remote web server is hosting an outdated version of Drupal, a PHP-based open-source content management system. The version of Drupal installed on the remote server is 6.x prior to 6.35 or 7.x prior to 7.35, and is affected by the following vulnerabilities :
- An access bypass vulnerability exists in which password reset URLs can be forged. This allows a remote attacker to gain access to another user’s account. (CVE-2015-2559)
- An open redirect vulnerability exists which allows a remote attacker to craft a URL using the ‘destination’ parameter in order to trick users into being redirected to third-party sites. Additionally, several URL related API functions can be tricked into passing external URLs. (CVE-2015-2749, CVE-2015-2750)